Changeset 52741 in vbox for trunk/src/VBox/HostDrivers/Support
- Timestamp:
- Sep 14, 2014 8:24:08 PM (10 years ago)
- svn:sync-xref-src-repo-rev:
- 96085
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
r52739 r52741 235 235 /** Symantec endpoint protection or similar including SysPlant.sys. */ 236 236 #define SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT RT_BIT_32(0) 237 /** Symantec Norton 360. */ 238 #define SUPHARDNT_ADVERSARY_SYMANTEC_N360 RT_BIT_32(1) 237 239 /** Avast! */ 238 #define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(1) 240 #define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(2) 241 /** TrendMicro OfficeScan and probably others. */ 242 #define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3) 243 /** McAfee. */ 244 #define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(4) 245 /** Kaspersky. */ 246 #define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(5) 247 /** Malwarebytes Anti-Malware (MBAM). */ 248 #define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(6) 249 /** AVG Internet Security. */ 250 #define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(7) 251 /** Panda Security. */ 252 #define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(8) 253 /** Microsoft Security Essentials. */ 254 #define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(9) 239 255 /** Unknown adversary detected while waiting on child. */ 240 256 #define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31) … … 813 829 814 830 NTSTATUS rcNt; 831 NTSTATUS rcNtRedir = 0x22222222; 815 832 HANDLE hFile = INVALID_HANDLE_VALUE; 816 833 RTUTF16 wszPath[260 + 260]; /* Assumes we've limited the import name length to 256. */ … … 839 856 PUNICODE_STRING pUniStrResult = NULL; 840 857 841 rcNt = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/,842 &UniStrName,843 (PUNICODE_STRING)&s_DefaultSuffix,844 &UniStrStatic,845 &UniStrDynamic,846 &pUniStrResult,847 NULL /*pNewFlags*/,848 NULL /*pcbFilename*/,849 NULL /*pcbNeeded*/);850 if (NT_SUCCESS(rcNt ))858 rcNtRedir = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/, 859 &UniStrName, 860 (PUNICODE_STRING)&s_DefaultSuffix, 861 &UniStrStatic, 862 &UniStrDynamic, 863 &pUniStrResult, 864 NULL /*pNewFlags*/, 865 NULL /*pcbFilename*/, 866 NULL /*pcbNeeded*/); 867 if (NT_SUCCESS(rcNtRedir)) 851 868 { 852 IO_STATUS_BLOCK Ios 869 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER; 853 870 OBJECT_ATTRIBUTES ObjAttr; 854 871 InitializeObjectAttributes(&ObjAttr, pUniStrResult, … … 867 884 if (NT_SUCCESS(rcNt)) 868 885 rcNt = Ios.Status; 869 if (!NT_SUCCESS(rcNt)) 886 if (NT_SUCCESS(rcNt)) 887 { 888 /* For accurate logging. */ 889 size_t cwcCopy = RT_MIN(pUniStrResult->Length / sizeof(RTUTF16), RT_ELEMENTS(wszPath) - 1); 890 memcpy(wszPath, pUniStrResult->Buffer, cwcCopy * sizeof(RTUTF16)); 891 wszPath[cwcCopy] = '\0'; 892 } 893 else 870 894 hFile = INVALID_HANDLE_VALUE; 871 895 RtlFreeUnicodeString(&UniStrDynamic); … … 950 974 if (hFile != INVALID_HANDLE_VALUE) 951 975 { 952 SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls'\n", pCur->szName, wszPath)); 976 SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls' [rcNtRedir=%#x]\n", 977 pCur->szName, wszPath, rcNtRedir)); 953 978 954 979 ULONG fAccess = 0; … … 4538 4563 4539 4564 /** 4565 * Logs information about a file from a protection product. 4566 * 4567 * The purpose here is to better see which version of the product is installed 4568 * and not needing to depend on the user supplying the correct information. 4569 * 4570 * @param pwszFile The NT path to the file. 4571 */ 4572 static void supR3HardenedLogAdversarialFile(PCRTUTF16 pwszFile) 4573 { 4574 /* 4575 * Open the file. 4576 */ 4577 HANDLE hFile = RTNT_INVALID_HANDLE_VALUE; 4578 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER; 4579 UNICODE_STRING UniStrName; 4580 UniStrName.Buffer = (WCHAR *)pwszFile; 4581 UniStrName.Length = (USHORT)(RTUtf16Len(pwszFile) * sizeof(WCHAR)); 4582 UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR); 4583 OBJECT_ATTRIBUTES ObjAttr; 4584 InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/); 4585 NTSTATUS rcNt = NtCreateFile(&hFile, 4586 GENERIC_READ, 4587 &ObjAttr, 4588 &Ios, 4589 NULL /* Allocation Size*/, 4590 FILE_ATTRIBUTE_NORMAL, 4591 FILE_SHARE_READ, 4592 FILE_OPEN, 4593 FILE_NON_DIRECTORY_FILE, 4594 NULL /*EaBuffer*/, 4595 0 /*EaLength*/); 4596 if (NT_SUCCESS(rcNt)) 4597 rcNt = Ios.Status; 4598 if (NT_SUCCESS(rcNt)) 4599 { 4600 SUP_DPRINTF(("%ls:\n", pwszFile)); 4601 union 4602 { 4603 uint64_t u64AlignmentInsurance; 4604 FILE_BASIC_INFORMATION BasicInfo; 4605 FILE_STANDARD_INFORMATION StdInfo; 4606 uint8_t abBuf[32768]; 4607 RTUTF16 awcBuf[16384]; 4608 IMAGE_DOS_HEADER MzHdr; 4609 } u; 4610 RTTIMESPEC TimeSpec; 4611 char szTmp[64]; 4612 4613 /* 4614 * Print basic file information available via NtQueryInformationFile. 4615 */ 4616 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER; 4617 rcNt = NtQueryInformationFile(hFile, &Ios, &u.BasicInfo, sizeof(u.BasicInfo), FileBasicInformation); 4618 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status)) 4619 { 4620 SUP_DPRINTF((" CreationTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.CreationTime.QuadPart), szTmp, sizeof(szTmp)))); 4621 /*SUP_DPRINTF((" LastAccessTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastAccessTime.QuadPart), szTmp, sizeof(szTmp))));*/ 4622 SUP_DPRINTF((" LastWriteTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastWriteTime.QuadPart), szTmp, sizeof(szTmp)))); 4623 SUP_DPRINTF((" ChangeTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.ChangeTime.QuadPart), szTmp, sizeof(szTmp)))); 4624 SUP_DPRINTF((" FileAttributes: %#x\n", u.BasicInfo.FileAttributes)); 4625 } 4626 else 4627 SUP_DPRINTF((" FileBasicInformation -> %#x %#x\n", rcNt, Ios.Status)); 4628 4629 rcNt = NtQueryInformationFile(hFile, &Ios, &u.StdInfo, sizeof(u.StdInfo), FileStandardInformation); 4630 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status)) 4631 SUP_DPRINTF((" Size: %#llx\n", u.StdInfo.EndOfFile.QuadPart)); 4632 else 4633 SUP_DPRINTF((" FileStandardInformation -> %#x %#x\n", rcNt, Ios.Status)); 4634 4635 /* 4636 * Read the image header and extract the timestamp and other useful info. 4637 */ 4638 RT_ZERO(u); 4639 LARGE_INTEGER offRead; 4640 offRead.QuadPart = 0; 4641 rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios, 4642 &u, (ULONG)sizeof(u), &offRead, NULL); 4643 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status)) 4644 { 4645 uint32_t offNtHdrs = 0; 4646 if (u.MzHdr.e_magic == IMAGE_DOS_SIGNATURE) 4647 offNtHdrs = u.MzHdr.e_lfanew; 4648 if (offNtHdrs < sizeof(u) - sizeof(IMAGE_NT_HEADERS)) 4649 { 4650 PIMAGE_NT_HEADERS64 pNtHdrs64 = (PIMAGE_NT_HEADERS64)&u.abBuf[offNtHdrs]; 4651 PIMAGE_NT_HEADERS32 pNtHdrs32 = (PIMAGE_NT_HEADERS32)&u.abBuf[offNtHdrs]; 4652 if (pNtHdrs64->Signature == IMAGE_NT_SIGNATURE) 4653 { 4654 SUP_DPRINTF((" NT Headers: %#x\n", offNtHdrs)); 4655 SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp)); 4656 SUP_DPRINTF((" Machine: %#x%s\n", pNtHdrs64->FileHeader.Machine, 4657 pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ? " - i386" 4658 : pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? " - amd64" : "")); 4659 SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp)); 4660 SUP_DPRINTF((" Image Version: %u.%u\n", 4661 pNtHdrs64->OptionalHeader.MajorImageVersion, pNtHdrs64->OptionalHeader.MinorImageVersion)); 4662 SUP_DPRINTF((" SizeOfImage: %#x (%u)\n", pNtHdrs64->OptionalHeader.SizeOfImage, pNtHdrs64->OptionalHeader.SizeOfImage)); 4663 4664 /* 4665 * Very crude way to extract info from the file version resource. 4666 */ 4667 PIMAGE_SECTION_HEADER paSectHdrs = (PIMAGE_SECTION_HEADER)( (uintptr_t)&pNtHdrs64->OptionalHeader 4668 + pNtHdrs64->FileHeader.SizeOfOptionalHeader); 4669 IMAGE_DATA_DIRECTORY RsrcDir = { 0, 0 }; 4670 if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER64) 4671 && pNtHdrs64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE) 4672 RsrcDir = pNtHdrs64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]; 4673 else if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER32) 4674 && pNtHdrs32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE) 4675 RsrcDir = pNtHdrs32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]; 4676 SUP_DPRINTF((" Resource Dir: %#x LB %#x\n", RsrcDir.VirtualAddress, RsrcDir.Size)); 4677 if ( RsrcDir.VirtualAddress > offNtHdrs 4678 && RsrcDir.Size > 0 4679 && (uintptr_t)&u + sizeof(u) - (uintptr_t)paSectHdrs 4680 >= pNtHdrs64->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER) ) 4681 { 4682 offRead.QuadPart = 0; 4683 for (uint32_t i = 0; i < pNtHdrs64->FileHeader.NumberOfSections; i++) 4684 if ( paSectHdrs[i].VirtualAddress - RsrcDir.VirtualAddress < paSectHdrs[i].SizeOfRawData 4685 && paSectHdrs[i].PointerToRawData > offNtHdrs) 4686 { 4687 offRead.QuadPart = paSectHdrs[i].PointerToRawData 4688 + (paSectHdrs[i].VirtualAddress - RsrcDir.VirtualAddress); 4689 break; 4690 } 4691 if (offRead.QuadPart > 0) 4692 { 4693 RT_ZERO(u); 4694 rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios, 4695 &u, (ULONG)sizeof(u), &offRead, NULL); 4696 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status)) 4697 { 4698 static const struct { PCRTUTF16 pwsz; size_t cb; } s_abFields[] = 4699 { 4700 #define MY_WIDE_STR_TUPLE(a_sz) { L ## a_sz, sizeof(L ## a_sz) - sizeof(RTUTF16) } 4701 MY_WIDE_STR_TUPLE("ProductName"), 4702 MY_WIDE_STR_TUPLE("ProductVersion"), 4703 MY_WIDE_STR_TUPLE("FileVersion"), 4704 MY_WIDE_STR_TUPLE("SpecialBuild"), 4705 MY_WIDE_STR_TUPLE("PrivateBuild"), 4706 MY_WIDE_STR_TUPLE("FileDescription"), 4707 #undef MY_WIDE_STR_TUPLE 4708 }; 4709 for (uint32_t i = 0; i < RT_ELEMENTS(s_abFields); i++) 4710 { 4711 size_t cwcLeft = (sizeof(u) - s_abFields[i].cb - 10) / sizeof(RTUTF16); 4712 PCRTUTF16 pwc = u.awcBuf; 4713 RTUTF16 const wcFirst = *s_abFields[i].pwsz; 4714 while (cwcLeft-- > 0) 4715 { 4716 if ( pwc[0] == 1 /* wType == text */ 4717 && pwc[1] == wcFirst) 4718 { 4719 if (memcmp(pwc + 1, s_abFields[i].pwsz, s_abFields[i].cb + sizeof(RTUTF16)) == 0) 4720 { 4721 size_t cwcField = s_abFields[i].cb / sizeof(RTUTF16); 4722 pwc += cwcField + 2; 4723 cwcLeft -= cwcField + 2; 4724 for (uint32_t iPadding = 0; iPadding < 3; iPadding++, pwc++, cwcLeft--) 4725 if (*pwc) 4726 break; 4727 int rc = RTUtf16ValidateEncodingEx(pwc, cwcLeft, 4728 RTSTR_VALIDATE_ENCODING_ZERO_TERMINATED); 4729 if (RT_SUCCESS(rc)) 4730 SUP_DPRINTF((" %ls:%*s %ls", 4731 s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", pwc)); 4732 else 4733 SUP_DPRINTF((" %ls:%*s rc=%Rrc", 4734 s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", rc)); 4735 4736 break; 4737 } 4738 } 4739 pwc++; 4740 } 4741 } 4742 } 4743 else 4744 SUP_DPRINTF((" NtReadFile @%#llx -> %#x %#x\n", offRead.QuadPart, rcNt, Ios.Status)); 4745 } 4746 else 4747 SUP_DPRINTF((" Resource section not found.\n")); 4748 } 4749 } 4750 else 4751 SUP_DPRINTF((" Nt Headers @%#x: Invalid signature\n", offNtHdrs)); 4752 } 4753 else 4754 SUP_DPRINTF((" Nt Headers @%#x: out side buffer\n", offNtHdrs)); 4755 } 4756 else 4757 SUP_DPRINTF((" NtReadFile @0 -> %#x %#x\n", rcNt, Ios.Status)); 4758 NtClose(hFile); 4759 } 4760 } 4761 4762 4763 /** 4540 4764 * Scans the Driver directory for drivers which may invade our processes. 4541 4765 * 4542 4766 * @returns Mask of SUPHARDNT_ADVERSARY_XXX flags. 4767 * 4768 * @remarks The enumeration of \Driver normally requires administrator 4769 * privileges. So, the detection we're doing here isn't always gonna 4770 * work just based on that. 4771 * 4772 * @todo Find drivers in \FileSystems as well, then we could detect VrNsdDrv 4773 * from ViRobot APT Shield 2.0. 4543 4774 */ 4544 4775 static uint32_t supR3HardenedWinFindAdversaries(void) 4545 4776 { 4777 static const struct 4778 { 4779 uint32_t fAdversary; 4780 const char *pszDriver; 4781 } s_aDrivers[] = 4782 { 4783 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SRTSPX" }, 4784 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymDS" }, 4785 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymEvent" }, 4786 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymIRON" }, 4787 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymNetS" }, 4788 4789 { SUPHARDNT_ADVERSARY_AVAST, "aswHwid" }, 4790 { SUPHARDNT_ADVERSARY_AVAST, "aswMonFlt" }, 4791 { SUPHARDNT_ADVERSARY_AVAST, "aswRdr2" }, 4792 { SUPHARDNT_ADVERSARY_AVAST, "aswRvrt" }, 4793 { SUPHARDNT_ADVERSARY_AVAST, "aswSnx" }, 4794 { SUPHARDNT_ADVERSARY_AVAST, "aswsp" }, 4795 { SUPHARDNT_ADVERSARY_AVAST, "aswStm" }, 4796 { SUPHARDNT_ADVERSARY_AVAST, "aswVmm" }, 4797 4798 { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmcomm" }, 4799 { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmactmon" }, 4800 { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmevtmgr" }, 4801 { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmtdi" }, 4802 { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmebc64" }, /* Titanium internet security, not officescan. */ 4803 { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmeevw" }, /* Titanium internet security, not officescan. */ 4804 { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmciesc" }, /* Titanium internet security, not officescan. */ 4805 4806 { SUPHARDNT_ADVERSARY_MCAFEE, "cfwids" }, 4807 { SUPHARDNT_ADVERSARY_MCAFEE, "McPvDrv" }, 4808 { SUPHARDNT_ADVERSARY_MCAFEE, "mfeapfk" }, 4809 { SUPHARDNT_ADVERSARY_MCAFEE, "mfeavfk" }, 4810 { SUPHARDNT_ADVERSARY_MCAFEE, "mfefirek" }, 4811 { SUPHARDNT_ADVERSARY_MCAFEE, "mfehidk" }, 4812 { SUPHARDNT_ADVERSARY_MCAFEE, "mfencbdc" }, 4813 { SUPHARDNT_ADVERSARY_MCAFEE, "mfewfpk" }, 4814 4815 { SUPHARDNT_ADVERSARY_KASPERSKY, "kl1" }, 4816 { SUPHARDNT_ADVERSARY_KASPERSKY, "klflt" }, 4817 { SUPHARDNT_ADVERSARY_KASPERSKY, "klif" }, 4818 { SUPHARDNT_ADVERSARY_KASPERSKY, "KLIM6" }, 4819 { SUPHARDNT_ADVERSARY_KASPERSKY, "klkbdflt" }, 4820 { SUPHARDNT_ADVERSARY_KASPERSKY, "klmouflt" }, 4821 { SUPHARDNT_ADVERSARY_KASPERSKY, "kltdi" }, 4822 { SUPHARDNT_ADVERSARY_KASPERSKY, "kneps" }, 4823 4824 { SUPHARDNT_ADVERSARY_MBAM, "MBAMWebAccessControl" }, 4825 { SUPHARDNT_ADVERSARY_MBAM, "mbam" }, 4826 { SUPHARDNT_ADVERSARY_MBAM, "mbamchameleon" }, 4827 { SUPHARDNT_ADVERSARY_MBAM, "mwav" }, 4828 { SUPHARDNT_ADVERSARY_MBAM, "mbamswissarmy" }, 4829 4830 { SUPHARDNT_ADVERSARY_AVG, "avgfwfd" }, 4831 { SUPHARDNT_ADVERSARY_AVG, "avgtdia" }, 4832 4833 { SUPHARDNT_ADVERSARY_PANDA, "PSINAflt" }, 4834 { SUPHARDNT_ADVERSARY_PANDA, "PSINFile" }, 4835 { SUPHARDNT_ADVERSARY_PANDA, "PSINKNC" }, 4836 { SUPHARDNT_ADVERSARY_PANDA, "PSINProc" }, 4837 { SUPHARDNT_ADVERSARY_PANDA, "PSINProt" }, 4838 { SUPHARDNT_ADVERSARY_PANDA, "PSINReg" }, 4839 { SUPHARDNT_ADVERSARY_PANDA, "PSKMAD" }, 4840 { SUPHARDNT_ADVERSARY_PANDA, "NNSAlpc" }, 4841 { SUPHARDNT_ADVERSARY_PANDA, "NNSHttp" }, 4842 { SUPHARDNT_ADVERSARY_PANDA, "NNShttps" }, 4843 { SUPHARDNT_ADVERSARY_PANDA, "NNSIds" }, 4844 { SUPHARDNT_ADVERSARY_PANDA, "NNSNAHSL" }, 4845 { SUPHARDNT_ADVERSARY_PANDA, "NNSpicc" }, 4846 { SUPHARDNT_ADVERSARY_PANDA, "NNSPihsw" }, 4847 { SUPHARDNT_ADVERSARY_PANDA, "NNSPop3" }, 4848 { SUPHARDNT_ADVERSARY_PANDA, "NNSProt" }, 4849 { SUPHARDNT_ADVERSARY_PANDA, "NNSPrv" }, 4850 { SUPHARDNT_ADVERSARY_PANDA, "NNSSmtp" }, 4851 { SUPHARDNT_ADVERSARY_PANDA, "NNSStrm" }, 4852 { SUPHARDNT_ADVERSARY_PANDA, "NNStlsc" }, 4853 4854 { SUPHARDNT_ADVERSARY_MSE, "NisDrv" }, 4855 }; 4856 4857 static const struct 4858 { 4859 uint32_t fAdversary; 4860 PCRTUTF16 pwszFile; 4861 } s_aFiles[] = 4862 { 4863 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\SysPlant.sys" }, 4864 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\sysfer.dll" }, 4865 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\sysferThunk.dll" }, 4866 4867 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ccsetx64.sys" }, 4868 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ironx64.sys" }, 4869 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtsp64.sys" }, 4870 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtspx64.sys" }, 4871 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symds64.sys" }, 4872 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symefa64.sys" }, 4873 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symelam.sys" }, 4874 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symnets.sys" }, 4875 { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\symevent64x86.sys" }, 4876 4877 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswHwid.sys" }, 4878 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswMonFlt.sys" }, 4879 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRdr2.sys" }, 4880 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRvrt.sys" }, 4881 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswSnx.sys" }, 4882 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswsp.sys" }, 4883 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswStm.sys" }, 4884 { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswVmm.sys" }, 4885 4886 { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmcomm.sys" }, 4887 { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmactmon.sys" }, 4888 { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmevtmgr.sys" }, 4889 { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmtdi.sys" }, 4890 { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmebc64.sys" }, 4891 { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmeevw.sys" }, 4892 { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmciesc.sys" }, 4893 4894 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\cfwids.sys" }, 4895 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\McPvDrv.sys" }, 4896 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeapfk.sys" }, 4897 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeavfk.sys" }, 4898 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfefirek.sys" }, 4899 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfehidk.sys" }, 4900 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfencbdc.sys" }, 4901 { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfewfpk.sys" }, 4902 4903 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kl1.sys" }, 4904 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klflt.sys" }, 4905 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klif.sys" }, 4906 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klim6.sys" }, 4907 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klkbdflt.sys" }, 4908 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klmouflt.sys" }, 4909 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kltdi.sys" }, 4910 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kneps.sys" }, 4911 { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\klfphc.dll" }, 4912 4913 { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\MBAMSwissArmy.sys" }, 4914 { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mwac.sys" }, 4915 { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbamchameleon.sys" }, 4916 { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbam.sys" }, 4917 4918 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgrkx64.sys" }, 4919 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgmfx64.sys" }, 4920 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsdrivera.sys" }, 4921 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsha.sys" }, 4922 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgtdia.sys" }, 4923 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgloga.sys" }, 4924 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgldx64.sys" }, 4925 { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgdiska.sys" }, 4926 4927 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINAflt.sys" }, 4928 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINFile.sys" }, 4929 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINKNC.sys" }, 4930 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProc.sys" }, 4931 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProt.sys" }, 4932 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINReg.sys" }, 4933 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSKMAD.sys" }, 4934 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSAlpc.sys" }, 4935 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSHttp.sys" }, 4936 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNShttps.sys" }, 4937 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSIds.sys" }, 4938 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSNAHSL.sys" }, 4939 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSpicc.sys" }, 4940 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPihsw.sys" }, 4941 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPop3.sys" }, 4942 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSProt.sys" }, 4943 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPrv.sys" }, 4944 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSSmtp.sys" }, 4945 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSStrm.sys" }, 4946 { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNStlsc.sys" }, 4947 4948 { SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\MpFilter.sys" }, 4949 { SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\NisDrvWFP.sys" }, 4950 }; 4951 4952 uint32_t fFound = 0; 4953 4546 4954 /* 4547 4955 * Open the driver object directory. … … 4557 4965 SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt); 4558 4966 #endif 4559 if (!NT_SUCCESS(rcNt)) 4560 return 0; 4561 4562 /* 4563 * Enumerate it, looking for the driver. 4564 */ 4565 uint32_t fFound = 0; 4566 ULONG uObjDirCtx = 0; 4567 for (;;) 4568 { 4569 uint32_t abBuffer[_64K + _1K]; 4570 ULONG cbActual; 4571 rcNt = NtQueryDirectoryObject(hDir, 4572 abBuffer, 4573 sizeof(abBuffer) - 4, /* minus four for string terminator space. */ 4574 FALSE /*ReturnSingleEntry */, 4575 FALSE /*RestartScan*/, 4576 &uObjDirCtx, 4577 &cbActual); 4578 if (!NT_SUCCESS(rcNt) || cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION)) 4579 break; 4580 4581 POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer; 4582 while (pObjDir->Name.Length != 0) 4583 { 4584 WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)]; 4585 pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0'; 4586 4587 #define IS_MATCH(a_Str) ( pObjDir->Name.Length == sizeof(L##a_Str) - sizeof(WCHAR) \ 4588 && RTUtf16ICmpAscii(pObjDir->Name.Buffer, a_Str) == 0) 4589 if (IS_MATCH("sysplant")) 4590 fFound |= SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT; 4591 else if (IS_MATCH("aswHwid")) 4592 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4593 else if (IS_MATCH("aswMonFlt")) 4594 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4595 else if (IS_MATCH("aswRdr2")) 4596 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4597 else if (IS_MATCH("aswRvrt")) 4598 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4599 else if (IS_MATCH("aswSnx")) 4600 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4601 else if (IS_MATCH("aswsp")) 4602 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4603 else if (IS_MATCH("aswStm")) 4604 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4605 else if (IS_MATCH("aswVmm")) 4606 fFound |= SUPHARDNT_ADVERSARY_AVAST; 4607 #undef IS_MATCH 4608 pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved; 4609 4610 /* Next directory entry. */ 4611 pObjDir++; 4967 if (NT_SUCCESS(rcNt)) 4968 { 4969 /* 4970 * Enumerate it, looking for the driver. 4971 */ 4972 ULONG uObjDirCtx = 0; 4973 for (;;) 4974 { 4975 uint32_t abBuffer[_64K + _1K]; 4976 ULONG cbActual; 4977 rcNt = NtQueryDirectoryObject(hDir, 4978 abBuffer, 4979 sizeof(abBuffer) - 4, /* minus four for string terminator space. */ 4980 FALSE /*ReturnSingleEntry */, 4981 FALSE /*RestartScan*/, 4982 &uObjDirCtx, 4983 &cbActual); 4984 if (!NT_SUCCESS(rcNt) || cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION)) 4985 break; 4986 4987 POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer; 4988 while (pObjDir->Name.Length != 0) 4989 { 4990 WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)]; 4991 pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0'; 4992 4993 for (uint32_t i = 0; i < RT_ELEMENTS(s_aDrivers); i++) 4994 if (RTUtf16ICmpAscii(pObjDir->Name.Buffer, s_aDrivers[i].pszDriver) == 0) 4995 { 4996 fFound |= s_aDrivers[i].fAdversary; 4997 SUP_DPRINTF(("Found driver %s (%#x)\n", s_aDrivers[i].pszDriver, s_aDrivers[i].fAdversary)); 4998 break; 4999 } 5000 5001 pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved; 5002 5003 /* Next directory entry. */ 5004 pObjDir++; 5005 } 4612 5006 } 4613 } 4614 4615 /* 4616 * Clean up and return. 4617 */ 4618 NtClose(hDir); 5007 5008 NtClose(hDir); 5009 } 5010 else 5011 SUP_DPRINTF(("NtOpenDirectoryObject failed on \\Driver: %#x\n", rcNt)); 5012 5013 /* 5014 * Look for files. 5015 */ 5016 for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++) 5017 { 5018 HANDLE hFile = RTNT_INVALID_HANDLE_VALUE; 5019 IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER; 5020 UNICODE_STRING UniStrName; 5021 UniStrName.Buffer = (WCHAR *)s_aFiles[i].pwszFile; 5022 UniStrName.Length = (USHORT)(RTUtf16Len(s_aFiles[i].pwszFile) * sizeof(WCHAR)); 5023 UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR); 5024 InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/); 5025 rcNt = NtCreateFile(&hFile, GENERIC_READ, &ObjAttr, &Ios, NULL /* Allocation Size*/, FILE_ATTRIBUTE_NORMAL, 5026 FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL /*EaBuffer*/, 0 /*EaLength*/); 5027 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status)) 5028 { 5029 fFound |= s_aFiles[i].fAdversary; 5030 NtClose(hFile); 5031 } 5032 } 5033 5034 /* 5035 * Log details. 5036 */ 5037 SUP_DPRINTF(("supR3HardenedWinFindAdversaries: %#x\n", fFound)); 5038 for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++) 5039 if (fFound & s_aFiles[i].fAdversary) 5040 supR3HardenedLogAdversarialFile(s_aFiles[i].pwszFile); 4619 5041 4620 5042 return fFound; … … 4670 5092 */ 4671 5093 g_fSupAdversaries = supR3HardenedWinFindAdversaries(); 4672 SUP_DPRINTF(("g_fSupAdversaries=%#x\n", g_fSupAdversaries));4673 5094 4674 5095 /*
Note:
See TracChangeset
for help on using the changeset viewer.
